Scribd
Upload
25 views4 pages

FCP - Dump

The document presents a series of questions related to FortiGate firewall configurations and features, including SSL inspection, NTurbo performance enhancements, ECMP configurations, authentication protocols, HA cluster behavior, SD-WAN strategies, and firewall policy adjustments. Each question provides multiple-choice answers that test the reader's understanding of network security concepts and FortiGate functionalities. The content is aimed at network administrators seeking to enhance their knowledge of FortiGate systems.

Uploaded by

Bruna Coutinho
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
25 views4 pages

FCP - Dump

The document presents a series of questions related to FortiGate firewall configurations and features, including SSL inspection, NTurbo performance enhancements, ECMP configurations, authentication protocols, HA cluster behavior, SD-WAN strategies, and firewall policy adjustments. Each question provides multiple-choice answers that test the reader's understanding of network security concepts and FortiGate functionalities. The content is aimed at network administrators seeking to enhance their knowledge of FortiGate systems.

Uploaded by

Bruna Coutinho
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

1.

A network administrator has configured an SSL/SSH inspection profile defined for full
SSL inspection and set with a private CA certificate. The firewall policy that allows the
traffic uses this profile for SSL inspection and performs web filtering. When visiting any
HTTPS websites, the browser reports certificate warning erros. What is the reason for the
certicate warning erros?

[Link] SSL cipher compliance option in not enabled on the SSL inspection profile. This
setting is required When the SSL inspection profile is defined with a private CA certificate

b. The certificate used by fortigate for SSL inpection does not contain the required
certificate extensions

c. The browser does not recognize the certificate in use as signed by a trusted CA

d. With full SSL inspection it is not possible to avoid certificate warning erros at the
browser level

2. An administrator manages a FortiGate model that supports NTurbo. How does NTurbo
enhance performance for flow-based inspection?

a. NTurbo creates two inspection sessions on the FortiGate device.

b. NTurbo offloads traffic to the content processor.

c. NTurbo creates a special data path to redirect traffic between the IPS engine its ingress
and egress interfaces

d. NTurbo buffers the whole file and then sends it to the antivirus engine

3. Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate


are true? (Choose two.)

a. If SD WAN is disabled, you can configure the parameter v4-ecmp-mode to volume-


based.

b. If SD-WAN is enabled, you control the load balancing algorithm with the parameter
load-balance-mode.

c. If SD-WAN is disabled, you configure the load balancing algorithm in config system
settings.

d. If SD-WAN is enabled, you can configure routes with unequal distance and priority
values to be part of ECMP.
4. A FortiGate firewall policy is configured with active authentication, however, the user
cannot authenticate when accessing a website

Which protocol must FortiGate allow even though the user cannot authenticate?

a. DHCP

b. DNS

c. ICMP

d. LDAP

5.

FGT-1 and FGT-2 are updated with HA configuration commands shown in the exhibit. What
would be the expected outcome in the HA cluster?

A. FGT-1 will remain the primary because FGT-2 has lower priority.

B. FGT-2 will take over as the primary because it has the override enable setting and
higher priority than FGT-1.

C. FGT-1 will synchronize the override disable setting with FGT-2.

D. The HA cluster will become out of sync because the override setting must match on all
HA members.

6. Which three strategies are valid SD-WAN rule strategies for member selection? (Choose
three.)

a. Best Quality with load balancing


b. Manual with load balancing

c. Lowest Quality (SLA) with load balancing

d. Lowest Cost (SLA) without load balancing

e. Lowest Cost (SLA) with load balancing

7. The exhibits show a diagram of a FortiGate device connected to the network, and the
firewall configuration.

An administrator created a Deny policy with default settings to deny Webserver access for
Remote-User2.

The policy should work such that Remote-User1 must be able to access the Webserver
while preventing Remote-User2 from accessing the Webserver. Which two configuration
changes can the administrator make to the policy to deny Webserver access for Remote-
User2? (Choose two.)

A. Enable match-vip in the Deny policy.

B. Set the Destination address as Webserver in the Deny policy.

C. Disable match-vip in the Deny policy.

D. Set the Destination address as Deny IP in the Allow_access policy.

8. Refer to the exhibit, which shows a partial configuration from the remote authentication
server

Why does the FortiGate administrator need this configuration?


a. To set up a RADIUS server Secret

b. To authenticate and match the Training OU on the RADIUS server

c. To authenticate only the Training user group.

d. To authenticate Any FortiGate user groups

9. Refer to the exhibits.

The exhibits show a diagram of a FortiGate device connected to the network, VIP
configuration, firewall policy, and the sniffer CLI output on the FortiGate device.

The WAN (port1) interface has the IP address [Link]/24.

The LAN (port3) interface has the IP address [Link]/24.

The webserver host ([Link]) must use its VIP external IP address as the source NAT
(SNAT) when it pings remote server ([Link]).

Which two statements are valid to achieve this goal? (Choose two.)

a. Create a new firewall policy before Internet Access for the webserver and apply the IP
pool.

b. Disable port forwarding on the VIP object.

c. Disable NAT on the Internet Access firewall policy.

d. Enable NAT on the Allow_access firewall policy.

You might also like